CSV Injection Vulnerability in Business Directory Plugin for WordPress
CVE-2023-5527

8HIGH

Key Information:

Vendor

Wordpress
Status
Business Directory Plugin – Easy Listing Directories For WordPress
Vendor
CVE Published:
18 June 2024

What is CVE-2023-5527?

The Business Directory Plugin for WordPress, developed by Strategies, Inc., is susceptible to a CSV Injection vulnerability in versions up to and including 6.4.3. This vulnerability resides in the class-csv-exporter.php file, allowing authenticated users with author-level permissions and above to embed malicious input into CSV files that are exported by administrators. When these CSV files are opened on a local system with a vulnerable configuration, it can lead to untrusted code execution. Users of affected versions should review their permissions and consider updating to secure their installations.

Affected Version(s)

Business Directory Plugin – Easy Listing Directories for WordPress * <= 6.4.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/business-direc...
https://plugins.trac.wordpress.org/browser/business-direc...

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
.